Hi,
We recently introduced a subordinate CA into our haproxy setup (previously we were using a self signed CA to sign the haproxy and client certs)
For some reason we are seeing “SSL client CA chain cannot be verified” on the haproxy logs when testing with s_client.
On the client side we see:
140691807639456:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
140691807639456:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
I’m stuck on this issue as the CA chains are identical. They contain both the SubCA and the RootCA. The haproxy and client are both signed by the subca.
[root@proxy ~]# openssl s_client -host proxy -port 11443 -cert cert.pem -key key.pem -CAfile cacert.pem
CONNECTED(00000003)
depth=2 CN = AdminCA, O = ACME, C = US
verify return:1
depth=1 CN = ACMESubCA
verify return:1
depth=0 CN = proxy, O = ACME
verify return:1
140691807639456:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
140691807639456:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
Certificate chain
0 s:/CN=proxy/O=ACME
i:/CN=ACMESubCA
1 s:/CN=ACMESubCA
i:/CN=AdminCA/O=ACME/C=US
2 s:/CN=AdminCA/O=ACME/C=US
i:/CN=AdminCA/O=ACME/C=US
Server certificate
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
subject=/CN=proxy/O=ACME
issuer=/CN=ACMESubCA
Acceptable client certificate CA names
/CN=ACMESubCA
/CN=AdminCA/O=ACME/C=US
Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 4134 bytes and written 3962 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: A4F5F91B50337BCB74BB7E67AB880B84DF242C6F84FDCBEDBD58746CC40FCB5D5109152D060FC9FCC9331F999611E834
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1473180218
Timeout : 300 (sec)
Verify return code: 0 (ok)
The proxy cert verifies ok against the chain
[root@proxy ~]# openssl verify -CAfile proxy-CA.pem proxyCert.pem
proxyCert.pem: OK
The client cert verifies ok against the chain
[root@proxy ~]# openssl verify -CAfile proxy-CA.pem cert.pem
/root/cert.pem: OK
This is only an issue when the CRL from the SubCA is specified.
[root@proy ~]# openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=ACMESubCA
Last Update: Sep 6 00:03:25 2016 GMT
Next Update: Sep 6 00:03:25 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:F6:23:57:B2:F0:B5:77:2A:B3:B2:EC:AA:A6:11:E5:97:C0:52:03:AA
X509v3 CRL Number:
19
Revoked Certificates:
Serial Number: 308D55C0EC639B8D
Revocation Date: Sep 2 20:19:54 2016 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Privilege Withdrawn
Any help would be much appreciated
Cheers,
Jason